Depend on the browser for the initial identification.
Once the file is loaded to your server, before it is made accessible,
open it as a byte stream and confirm that it is, in fact, a valid JPEG.
If it is not a valid JPEG, throw it out.
Reject JPEG's with an excessively large uncompressed or non-lossy
compressed sections, or that match a signature for the known viruses.
After this, shell out to the AV software to scan the file, capturing
the AV log, and reject any files that trigger warnings.
After all of this, make the file available for download.
Ben V. wrote: